Thursday, October 9, 2008

“Browser hijacking is a real phenomenon, which can become manifest through unwanted pop-ups, new ‘favorites’ that a user cannot delete, a new home page, and other forms of loss of control over one’s computer. At the same time, browser hijacking is not always responsible for the presence of unwanted spy ware and other malware. A common culprit for the transmission of these viruses is the downloading of otherwise innocent material such as games or news from disreputable Websites that infect users’ computers with spy ware and viruses, and that, in certain cases, direct users to illegal or sexually explicit Websites. “

As the article states this has been offered as a defense in cases involving contraband such as child pornography and also in wrongful termination cases involving surfing pornography while on the company computer.

The issue is that while it seems logical and should be apparent that this kind of thing can happen to the most innocent of users, juries have been decidedly less than receptive to this as a defense.

In order to mount this as a defense, it must first be established that a browser hijacker existed and was active at the time the images were downloaded. This can be difficult if the computer was subsequently cleaned up by anti-virus or anti-spy ware software. If the program doing the cleaning kept a log of what was cleaned and when, then clues can be obtained from those logs. Sadly, a lot of these programs do not keep a history of what they did.

The second and most effective challenge to this as a defense is the existence of Typed URLS. A moment to explain: The address that you type into the box at the top of your browser to go to a web site like www.yahoo.com is called a URL or Uniform Resource Locator. In common terms we call this the web site address. In truth it is a human language nickname for the real address of the web site. For instance, if I said I wanted to go see someone, I would say I was going to Bob Smith's home at 110 Cherry Lane. I can understand that and even get there if I know the way. But if I type that address into my GPS it does not see it as 110 Cherry Lane, it sees it as a set of Geographic Positioning Coordinates like, 4.567 , 123.444. The same thing happens when you type www.yahoo.com into your browser address box. The computer sees that as a string of numbers that is the real address of the server providing yahoo.com's web pages to you, such as 206.190.60.37 (The real address for yahoo.com.)

Okay, now that you understand that what you type into the address box is a way for humans to remember web page addresses, (who would want to have to remember 206.190.60.37) it is important that you understand a couple of other things. How does www.yahoo.com become 206.190.60.37?

Out there in the world there are things called DNS servers. DNS stands for Domain Name Service. What the DNS server does is have a big table that matches names with actual addresses, so that when you type in www.yahoo.com, your browser (Internet Explorer or Safari or Mozilla, etc.) asks the DNS server to tell it where www.yahoo.com really is. The DNS server looks at its table, matches www.yahoo.com to the address 206.190.60.37 and then tells the browser to ask that server for web pages. It works just like a giant phone book that matches Bob Smith with his phone number so you know what number to dial to talk to Bob.

Now, back to Typed URLs and why they are so pesky in this type of defense:

Just like the name implies, Typed URLs are the addresses that you the computer user types into that address box. Secretly in the background, Microsoft Windows records those in a place you can't see unless you know where to look.

When the computer hard drive is examined for evidence, that is one of the first places a forensics expert will look to see if the user was actually typing in addresses for bad sites.

But there is one way this can actually help you; if a Typed URL is a slight misspelling for a legitimate site that sent you to a porn site, then you have some evidence that can help you.

For a long time the address www.whitehouse.com was a major porn site. There is no telling the number of innocent people who went there looking for www.whitehouse.gov (the real address for The White House). Who knows how many elementary school kids got an eyeful trying to research their homework.

Another common trick of the porn industry and insidious web sites that like to infect your computer is the old misspelling trick. A lot of these have been shut down now thankfully. For instance, if you wanted to go to www.microsoft.com but you are a poor typist like me and tend to type in www.microfost.com, you would have gone to a porn trap site.

If these common misspellings or mis-addresses show up in your Typed URL records on the computer, you have some evidence that you did not intentionally go to a porn site.

Raising this as a defense is tricky and takes a considerable amount of skill to pull off. Not only technically, but also in front of a jury who will need a lot of verbal hand holding to understand it.

But no amount of skill or trickery will convince a jury of evidence you cannot prove. Like the Trojan Horse defense, this shifts the burden of proof from the prosecution and places it squarely on the shoulders of the defense.

There are other factors to consider as well in defending these cases, too many to go into here. But they all must be considered, weighed and presented to the defense attorney as part of the job of the forensics consultant.

No slight to attorneys in any way, but many of them are new to this type of evidence and the implications of same, and depend on the forensics consultant to make sure they understand what they have to work with and what the challenges will be in mounting such as defense from a technical standpoint. If there is one to mount at all.

2 comments:

My name is FimaI live in Minneapolis, MNI came to US as political refugee on human rights violations in former USSRI am russian jew, and I got a lot of discrimination in USSRMy parents are Holocaust survivors.But I got the worst thing in USA, never possible in communist country.I was set up with my computer, convicted as a s..x offender for computer p..rn.I would like to send you some links to publications about my criminalcase. I was forced to confess to thepossession of internet digital pictures of p..rn in deleted clustersof my computer hard drive. My browser was hijacked while I wasbrowsing the web. I was redirected to illegal sites against my will.Some illegal pictures were found on my hard drive, recovering inunallocated clusters, without dates of file creation/download.

I do not know how courts can widely press these charges on people toconvict them, while the whole Internet is a mess.

I was fired from many jobs, and I am out of job for 5 years.Also police watch me all the time naming me a predator,I am not a predator, I came here in hope to escape human rights violations,but I got copletely terrible violations by government.

I read some of the news reports you linked to in your comment. Sadly, some of the "experts" actually gave wrong information in the articles. Saying that pictures cached by the browser will not be in unallocated space is incorrect. Many times, that is the only place from which they will be recovered.

Sadly, without the benefit of an experienced and qualified expert on the defense, it is difficult to refute the claims made by the prosecution expert.

I am not an attorney, but my understanding is that if you waived your right to an appeal when you accepted the plea bargin, you are pretty much out of luck for ever getting it changed.

Only an attorney in your jurisdiction can answer that question as each state in the US has its own specific laws. If this was a state level case, that is.

A lot of these types of cases get pled out for various reasons, mostly because the plea offer is far less severe than rolling the dice in a jury trial where the sentencing can be very harsh.

I speak to a lot of attorneys in these types of cases where they opt to plea rather than go to court, simply because the possibility of getting 10 years in prison for is not worth the risk versus getting 18 months in jail, or several years probation.

If you think it was bad when you were arrested, it is much worse now as penalties continue to get more severe and what qualifies for prosecution for child porn becomes broader every year.

About EX FORENSIS

This is where I share my thoughts on the digital forensics field, talk about recent court rulings that impact digital forensics and anything else that comes to mind; mostly serious, sometimes not so much.

All writings on this blog are the original works of the author, Larry E. Daniel, unless otherwise stated, and are subject to the copyright laws of the United States.

Disclaimer

I am not an attorney. Nothing I post in this blog is intended to be, nor should be considered as legal advice. If you have a legal question you should seek the services of a licensed attorney in your area. Guest authors or others who are invited to post here are covered by the same disclaimer. Nothing on this blog is legal advice.